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CLAIMS 

What is claimed is: 



1 1 . A method for facilitating secure communications among multicast nodes in a 

2 telecommunications network, the method comprising the computer-implemented 

3 steps of: 

4 receiving, from a first node, a first request to store an encryption key, wherein the 

5 first request includes an identifier, and wherein the first node uses the 

6 encryption key to encrypt data that is multicast with the identifier to a 

7 plurality of second nodes; 

8 in response to the first request, 

9 storing the encryption key; 

10 creating and storing an association between the encryption key and the 

1 1 identifier; 

12 receiving, from at least one second node of the plurality of second nodes, a second 

13 request to obtain the encryption key, wherein the second request includes the 

14 identifier; 

1 5 in response to the second request, 

16 based on the identifier included in the second request and the association 

1 7 between the encryption key and the identifier, retrieving the encryption 

18 key; and 

1 9 sending the encryption key to the at least one second node for use in 

20 decrypting the encrypted data. 

1 2. A method as recited in Claim 1, wherein: 

2 a trusted third party performs the steps of receiving the first request, storing the 

3 encryption key, creating and storing the association, receiving the second 

4 request, retrieving the enciyption key, and sending the encryption key; 

5 the first node is a router that acts as a multicast originator; and 

6 the plurahty of second nodes is a plurality of routers that act as multicast receivers. 
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1 3. A method as recited in Claim 2, wherein the trusted third party is selected from the 

2 group consisting of a certificate authority, a key distribution center, a key exchange 

3 authority, and a key exchange center. 

4 4. A method as recited in Claim 1, wherein the step of receiving the first request 

5 includes the step of: 

6 receiving a third request to register the encryption key and the identifier. 

1 5. A method as recited in Claim 1, wherein the steps of creating and storing the 

2 association include the step of: 

3 registering a certificate that includes the encryption key and the identifier. 

16. A method as recited in Claim 5, further comprising the computer-implemented steps 

2 of: 

3 in response to the first request, associating an expiration time with the encryption key; 

4 in response to the second request, determining based on the expiration time whether 

5 the encryption key has expired; and 

6 when the encryption key has expired, revoking the certificate. 

1 7. A method as recited in Claim 1, further comprising the computer-implemented steps 

2 of: 

3 in response to the first request, associating an expiration time with the encryption key; 

4 in response to the second request, determining based on the expiration time whether 

5 the encryption key has expired; and 

6 when the encryption key has not expired, performing the steps of retrieving and 

7 sending the encryption key. 

1 8. A method as recited in Claim 1, further comprising the computer-implemented steps 

2 of: 

3 registering the first node; and 

4 registering one or more nodes of the plmality of second nodes. 
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9. A method as recited in Claim 1 , further comprising the computer-implemented steps 
of: 

generating the encryption key based on an Intemet key exchange protocol with the 
first node. 

1 0. A method as recited in Claim 1 , wherein the encryption key is selected from the 
group consisting of a private key, a shared key, a pseudo-random string of bits, and a 
pseudo-random string of characters. 

11. A method as recited in Claim 1 , wherein: 

the first node uses the encryption key and Intemet protocol security (IPsec) to encrypt 

the data that is multicast; and 
the at least one second node decrypts the encrypted data based on the encryption key 

and IPsec. 

12. A method as recited in Claim 1 , wherein the first request includes a Hst of authorized 
second nodes, and further comprising the computer-implemented steps of: 

in response to the first request, storing the fist of authorized second nodes; 

in response to the second request, determining whether the at least one second node is 

included in the fist of authorized second nodes; and 
when the at least one second node is included in the fist of authorized second nodes, 

performing the steps of retrieving and sending the encryption key. 

3. A method as recited in Claim 1 , further comprising the computer-implemented steps 
of: 

storing a list of nodes; 

in response to the first request, determining whether the first node is included in the 
list of nodes; 

when the first node is included in the list of nodes, performing the steps of storing the 
encryption key and creating and storing the association between the 
encryption key and tiie identifier. 
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1 14. A method as recited in Claim 1 , further comprising the computer-implemented steps 

2 of: 

3 in response to the first request, associating one or more criteria with the encryption 

4 key; 

5 in response to the second request, determining based on the one or more criteria 

6 whether the encryption key is valid; and 

7 when the encryption key is valid, performing the steps of retrieving and sending the 

8 encryption key. 

1 15. A method as recited in Claim 1 , wherein the encryption key is an old encryption key, 

2 the identifier is an old identifier, and the association is an old association, and further 

3 comprising the steps of: 

4 in response to the first request, associating one or more criteria with the encryption 

5 key; 

6 in response to the second request, determining based on the one or more criteria 

7 whether the encryption key is valid; and 

8 when the encryption key is not valid, 

9 receiving a third request to store a new encryption key, wherein the third 

10 request includes a new identifier, and wherein the new encryption key 

11 is used to encrypt additional data that is multicast with the new 

12 identifier to the plurality of second nodes; 

13 in response to the third request, 

14 storing the new encryption key; 

1 5 creating and storing a new association between the new encryption key 

1 6 and the new identifier; 

17 receiving, from at least one additional second node of the plurahty of second 

1 8 nodes, a fourth request to obtain the new encryption key, wherein the 

19 fourth request includes the new identifier; 

20 in response to the fourth request, 
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21 based on the new identifier included in the fourth request and the new 

22 association between the new encryption key and the new 

23 identifier, retrieving the new encryption key; and 

24 sending the new encryption key to the at least one additional second 

25 node for use in decrypting the encrypted data. 

1 16. A method as recited in Claim 1 , wherein the data that the first node encrypts and 

2 multicasts is received from a source node. 

1 17. A method as recited in Claim 1 , 

2 wherein: 

3 the identifier is a session identifier; 

4 the encrypted data is multicast with an originator identifier that is based on an 

5 identity of the first node; 

6 the second request includes an unverified originator identifier; and 

7 further comprising the computer-implemented steps of: 

8 in response to the first request, associating the originator identifier with the 

9 session identifier; and 

10 in response to the second request, determining whether the unverified 

1 1 originator identifier is valid based on the originator identifier and 

12 informing the at least one second node whether the unverified 

1 3 originator is valid. 

1 18. A method as recited in Claim 1 , wherein: 

2 a trusted diird party performs the steps of receiving the first request, storing the 

3 encryption key, creating and storing the association, receiving the second 

4 request, retrieving the encryption key, and sending the encryption key; 

5 the first request is encrypted based on a public key that is associated with the trusted 

6 third party; and 

7 the first request is signed with a private key that is associated with the first node. 
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1 19. A method as recited in Claim 1, wherein a trusted third party performs the steps of 

2 receiving the first request, storing the encryption key, creating and storing the 

3 association, receiving the second request, retrieving the encryption key, and sending 

4 the encryption key, and further comprising the computer-implemented steps of: 

5 prior to sending the encryption key, 

6 encrypting the encryption key based on a public key that is associated with the 

7 at least one second node; and 

8 signing the encrypted encryption key with a private key that is associated with 

9 the trusted third party. 

1 20. A method as recited in Claim 1 , wherein the identifier is selected from the group 

2 consisting of a hostname, an Internet protocol address, a media access control 

3 address, an Internet security protocol security parameter index, a first string of 

4 pseudo-random bits, a second string of pseudo-random characters, a third string of 

5 arbitrary bits, and a fourth string of arbitrary characters. 

1 21. A method for encrypting communications among multicast nodes in a 

2 telecommunications network, the method comprising the computer-implemented steps 

3 of: 

4 sending an encryption key and an identifier that is associated with the encryption key 

5 to an authoritative node that stores the encryption key and identifier and that 

6 creates and stores an association between the encryption the encryption key 

7 and the identifier; 

8 encrypting data based on the encryption key; and 

9 multicasting the encrypted data with the identifier to one or more receiving nodes, 

wherein tiie one or more receiving nodes use the identifier to retiieve the 

1 1 encryption key from the authoritative node and decrypt the encrypted data 

1 2 based on the encryption key. 
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1 22. A method for decrypting encrypting communications among multicast nodes in a 

2 telecommunications network, the method comprising the computer-implemented 

3 steps of: 

4 receiving from an originating node a multicast that includes encrypted data and an 

5 identifier; 

6 identifying the identifier from the multicast; 

7 sending a request that includes the identifier to an authoritative node for an 

8 encryption key used by the originating node to encrypt the encrypted data; 

9 in response to the request to the authoritative node, receiving the encryption key; and 
10 decrypting the encrypted data based on the encryption key. 

1 23. A method for a certificate authority to facilitate communications based on Internet 

2 protocol security (IPsec) among multicast nodes in a telecommunications network, 

3 the method comprising the computer-implemented steps of: 

4 receiving, at the certificate authority from a first router that acts as a multicast 

5 originator, a first request to register an encryption key, wherein the first 

6 request includes a multicast session identifier and a list of authorized multicast 

7 receivers, and wherein the first router uses the encryption key to encrypt data 

8 based on IPsec and multicasts the encrypted data with the multicast session 

9 identifier to a plurality of second routers that act as multicast receivers; 

10 in response to the first request, the certificate authority creating and storing a 

1 1 multicast session certificate that includes the encryption key, the multicast 

12 session identifier, and the list of authorized multicast receivers; 

13 receivuig, at the certificate authority fi-om at least a particular second router of the 

14 plurality of second routers, a second request to obtain the encryption key, 

15 wherein the second request includes the multicast session identifier; 

16 in response to the second request, 

17 determining whether the particular second router is included in the list of 

1 8 authorized multicast receivers; 

19 when the particular second router is included in the list of authorized multicast 

20 receivers, 



Docket: 50325-0607 (1640) 



-34- 



Application of PELLACURU 



2 1 based on the multicast session identifier included in the second request 

22 and the multicast session certificate, the certificate authority 

23 retrieving the encryption key; and 

24 the certificate authority sending the encryption key to the particular 

25 second router for use in decrypting the encrypted data based on 

26 IPsec. 
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